In short, Canadian fast food chain Tim Hortons is settling several data privacy lawsuits against it by offering something it knows it’s good for: a donut and coffee.
The Canadian Broadcasting Corporation (CBC) said Friday that the Timmies settlement still requires court approval, but if given the go-ahead, users of the Tim Hortons mobile app affected by improper data collection from the chain “will receive a free hot drink and a baked dish.” “
Tim Hortons must also permanently delete any geolocation data improperly collected by its apps and instruct third-party providers who had access to the data to do so.
Between May 2019 and August 2020, Tim Hortons mobile apps collected users’ geolocation data without their knowledge or consent, a Canadian government investigation has found.
According to this research, Tim Hortons updated its apps to specifically add location tracking technology operated by a US company called Radar. This company collected information from devices every few minutes to infer customers’ home and work locations and see if they were buying donuts elsewhere.
The investigation found that the app continued to collect data even when it was in the background and only stopped if the app was closed.
Tim Hortons said it never used the geolocation data it collected to target ads and permanently removed the Radar code from its apps in September 2020. “The very limited use of this data was done aggregated and de-identified to study trends in our business – and the results did not include personal information from any guests,” Tim Hortons said in June when the lawsuits against it began.
Based on Canadian prices, affected Tim Hortons customers can expect a class-action settlement to pay about C$2.88 ($2.25) in free food and drinks, which could be more than members of the class could expect to get cash.
Kaspersky has detailed UEFI firmware level malware called CosmicStrand. This rootkit hides in firmware images of Gigabyte or ASUS motherboards, and has been seen on private systems in China, Vietnam, Iran and Russia. When Windows boots on an infected machine, CosmicStrand tampers with the kernel, allowing it to silently gain control of the computer and its applications and communicate with a remote command and control server.
Cyber-scum ok – container files are the new macros
As Microsoft struggles to curb abuse of Office macros, cybercriminals are now turning to creating malicious container files to infect victims with malware. And by container files, we mean things like disk images and archives, not Docker containers and the like.
According to Proofpoint research, the use of Visual Basic for Applications (VBA) and XL4 macros to launch attacks against Microsoft Office users has dropped by 66 percent since October 2021, when Microsoft announced plans to block macros in downloaded Office files, Proofpoint said.
“From October 2021 to June 2022, threat actors moved away from macro-enabled documents directly attached to messages to deliver malware and increasingly used container files such as ISO attachments and RAR and Windows Shortcut (LNK) files,” Proofpoint said.
During the same time period, Proofpoint tracked the decline in macro attacks, saying that container file attacks increased by 175 percent. “More than half of the 15 tracked threat actors that used ISO files in that time began using them in campaigns after January 2022,” Proofpoint said. Attacks using LNK files have also increased.
Along with an increase in attackers emailing malicious container files, Proofpoint said it also noticed a slight increase in the use of HTML attachments to deliver malware. While the number of attacks on HTML attachments doubled during the period Proofpoint examined for its report, the overall numbers remain low, he said.
Microsoft began blocking Internet-sourced Office macros earlier this year, though the change was temporarily withdrawn in early July due to usability complaints. As of July 22, macro blocking has been reactivated.
Proofpoint believes that container files are likely to become the new standard for launching email attacks, so get ready to start blocking them, if you haven’t already.
“Proofpoint researchers assess with high confidence that this is one of the biggest changes to the email threat landscape in recent history,” the group said.
Robin Banks: Easier than ever
A new fishing platform as a service has emerged and its purpose is right in its name: Robin Banks.
First discovered by IronNet researchers, Robin Banks gained more attention when the security firm found that it was behind a large-scale phishing campaign targeting Citibank customers and was also attempting to steal account credentials from Microsoft.
Robin Banks sells ready-made phishing kits focused on stealing victims’ financial account information, hosts all the infrastructure needed to execute attacks for its clients, and has customization features so users can create their own phishing kits.
To access the platform, thieves must pay $50 a month for a single phishing page, or $200 a month for a larger package.
Robin Banks primarily targets US financial institutions and has templates for Bank of America, Capital One, Citibank and more. Also offers templates for Lloyds Bank and Commonwealth Bank of Australia. Netflix, Microsoft, and Google account templates are also available.
According to the researchers, a June campaign that informed IronNet investigators of Robin Banks’ level of activity was “very successful,” with numerous victims selling their account information on the dark web or Telegram. Investigators believe the campaign is still expanding.
IronNet said Robin Banks isn’t particularly sophisticated, but stands out because it offers 24/7 support and has a “distinct dedication to pushing updates, fixing bugs and adding features to its kits,” it said IronNet.
Based on its investigation, IronNet said that Robin Banks appears to be primarily focused on selling fishing kits to basic users motivated solely by profit. “Cybercriminals using the Robin Banks kit often post their victims’ monetary data on Telegram and various other websites, listing the hacked account balances of various victims,” IronNet said.
While the report does not reveal who is behind Robin Banks or indicate where they can be located, IronNet said its investigation has identified potential suspects. IronNet was also able to estimate how much money Robin Banks’ users have illicitly accessed through the platform: more than $500,000, a figure it said is increasing every day.
Expect Robin Banks to react to his publicity as well, IronNet said: “Given the criminal operator’s clear dedication to managing and improving the platform, we suspect that the threat actor behind Robin Banks will change tactics or tools as a result of this report.”
North Korean malware steals emails as you read them
A well-established North Korean cyber gang known as SharpTongue has adopted a hitherto undocumented family of malware capable of stealing email and attachments as victims read them.
The new malware, called SHARPEXT by the Volexity researchers who apparently discovered it, exists as an extension for Microsoft Edge, Chrome and the Chromium-based Whale, a web browser rarely used outside of South Korea.
Unlike previous SharpTongue campaigns, SHARPEXT does not attempt to steal any credentials. “Rather, the malware directly inspects and exfiltrates data from the victim’s webmail account as they browse,” Volexity said. Gmail and AOL webmail are the only two services run by SHARPEXT.
SHARPEXT is the first malicious browser extension that Volexity has observed being installed as part of the post-exploit phase of an attack. Installing the extension is a manual process, performed by criminals on a Windows PC once it has been compromised.
“By stealing email data in the context of a user’s already logged-in session, the attack hides itself from the email provider, making detection very difficult. Similarly, the way what the extension does means that suspicious activity would not be logged on a user’s email ‘account activity’ status page, if reviewed,” Volexity said.
SharpTongue has been deploying SHARPEXT for more than a year, Volexity said. To help combat this malware, Volexity has provided links to YARA rules and IOCs in its report. The researchers also recommend enabling and analyzing the results of the PowerShell ScriptBlock log, since PowerShell is used in the SHARPEXT installation process, and regularly checking installed browser extensions for those that are loaded from outside from the Chrome Web Store.
No More Ransom celebrates 6 years and 1.5 million decryptions
No More Ransom, a joint initiative between law enforcement and cybersecurity companies that distributes free ransomware decryption software, recently celebrated six years in operation and claims that in that time it has freed more than 1.5 million of ransomware victims.
Founded in 2016, No More Ransom started with four partners: the Dutch police, Europol, Kaspersky and McAfee, and has since grown to 188 partners in law enforcement, cyber security and other industries.
One hundred and thirty-six tools covering 165 ransomware families are available for download on NMR and have been collectively downloaded more than 10 million times, the project claims.
Ransomware, which infects systems, encrypts files, often exfiltrates documents and demands payment for decryption, is a serious problem that only continues to grow. A SonicWall report earlier this year found a 105 percent increase in ransomware incidents in 2021 and a threefold increase since 2019. Ransomware attacks against government entities have grown even faster, with…